We just raised a $30M Series A: Read our story

Veracode OverviewUNIXBusinessApplication

What is Veracode?

Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

Veracode Buyer's Guide

Download the Veracode Buyer's Guide including reviews and more. Updated: October 2021

Veracode Customers

State of Missouri, Rekner

Veracode Video

Pricing Advice

What users are saying about Veracode pricing:
  • "For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization."
  • "From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately."
  • "Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive."
  • "The pricing is really fair compared to a lot of other tools on the market."
  • "Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license."
  • "It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."
  • "If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount."

Veracode Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
reviewer1360617
Sr. Security Architect at a financial services firm with 10,001+ employees
Featured Review
Real User
Top 20
Gave us much higher quality dynamic scanning with very few false positives and a robust static scanning solution

Pros and Cons

  • "Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution."
  • "One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive."

What is our primary use case?

We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.

How has it helped my organization?

Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution.  

Our Veracode license includes a "people component" that allows developers to request an in-person session to be scheduled to review a defect. This has helped our application security personnel pool to free up time for other pursuits. I'm not sure if this is included in all licenses or is an add-on.

What is most valuable?

Being cloud-based is a huge plus. All of our scans are always using up-to-date scan signatures and rules, and there is nothing for us to maintain.  Veracode has been spot-on with notifying about planned downtimes for maintenance and upgrades.  In my years of using the product, unplanned downtimes have been minimal (in fact I can't remember one.)

The API integration that allows integration with other tools, such as defect trackers and automated build tools, is also a benefit. We also like the integrated, available "in-person" support sessions to review and ask questions on discovered defects.

What needs improvement?

We've had one occasion where a sub-product upgrade required action on our part faster than we initially understood it needed to happen.  This ended up being relatively minor.  

One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive. 

Separately, I find the results console somewhat confusing.  When you are running multiple scan types for the same application, I've sometimes found it difficult to sort out where issues came from when I need that information.

For how long have I used the solution?

We have been using Veracode for over four years.

What do I think about the stability of the solution?

Our solution is highly stable with minimal downtimes.  (In fact I don't recall the last time there was an unplanned Veracode cloud outage that impacted us.)  We previously had occasional issues with the scan appliance model, but the relatively recent switch to the ISM model has been much more stable.

What do I think about the scalability of the solution?

Given that is is cloud based, coupled with their newer app-based internal scan model, we are pleased with the scalability and have not experienced any issues with scale.

How are customer service and technical support?

As mentioned in prior comments, Veracode is simply put our best vendor in terms of relationship, value-add, and customer service/technical support. We get responsive answers from support, and their support resources clearly understand the product, and issues are resolved quickly.

Which solution did I use previously and why did I switch?

Yes. We used a legacy, heavyweight dynamic scanning product. It would produce hundreds of pages of (mostly) false positives that were nearly impossible to digest and tune. We also didn't have a static scanning product. Moving to Veracode gave us much higher quality dynamic scanning with very few false positives (in part due to their model of human-assisted tuning, provided by them) and a robust static scanning solution.

How was the initial setup?

The setup was easy and straight forward. We had some issues with API calls from our build automation tools, but this was related to networking issues in reaching the Veracode servers on the Internet, not the Veracode product itself.

What about the implementation team?

We implemented with all in-house resources.

What was our ROI?

We achieve greatly improved security, earlier detection of security defects in the lifecycle, and as well as neatly meeting compliance requirements.

What's my experience with pricing, setup cost, and licensing?

For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization.

Which other solutions did I evaluate?

Checkmarx and SonarQube.

What other advice do I have?

Of all the tools vendors I have relationships with, Veracode is simply our best vendor in terms of partnership, value add, and support responsiveness. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Stephen Pack
Software development program leader at Vendavo
Real User
Good reporting, comprehensive interface, and integrates well into our build pipeline

Pros and Cons

  • "The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly."
  • "The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it."

What is our primary use case?

My company produces a SaaS application that is used by very large customers for pricing analytics and sales workflows. The data that our customers put into our software is very sensitive and confidential. This means that they want a high degree of confidence that our solution is secure.

We use Veracode as one of the pillars that we can point to as helping us to deliver on the promise of having a secure product. We have a multi-dimensional security program and Veracode is one important aspect of that.

How has it helped my organization?

Veracode provides guidance for fixing vulnerabilities. It provides guidance to help us understand what it flags, and what we can do about it. It still takes some interpretation and insight on our side, but we aren't generally security experts, so we get good information from Veracode to help inform us.

The developers are able to understand the types of issues Veracode looks for, and then as they see that happen, it helps them to learn. It's good because they consider it the next time and hopefully, we don't need Veracode to flag the issue because there is no issue.

With respect to efficiency when it comes to creating secure software, Veracode is able to help us with very low overhead. There's not a lot of work needed on our side unnecessarily. Once we've wired everything together, it's seamless to get the scan done and get the results back and know what we need to do about them.

We use Veracode for some of our older, more monolithic software, as well as for our newer solutions, which are designed to be cloud-native. We've found Veracode useful in both use cases; first, with our huge monolithic software, as well as with our microservices cloud-native solutions.

In terms of AppSec, there are a lot of benefits that cloud-native design brings in terms of not only cost and scalability, but testability and security. Certainly, the design patterns of cloud-native are well aligned with delivering good security practices. Working with products that support cloud-native solutions is an important part of our evolution.

Using Veracode has helped with developer security training and skill-building. It's definitely a good way to create awareness and to deliver information that's meaningful and in context. It's not abstract or theoretical. It's the code that they've written yesterday that they're getting feedback on, and it is a pretty ideal way to learn and improve.

The static scan capability is very powerful. It's very good in terms of the signal-to-noise ratio. The findings that we get are meaningful, or at least understandable, and there's not a bunch of junk that some other code scanning tools can sometimes produce. Having results like that make it hard to find the valuable bits. Veracode is highly effective at finding meaningful issues.

The speed of the static scan is okay. It meets or exceeds our expectations. For our monolithic application, which is a million lines of code, it takes a while to scan, but that's totally understandable. If it could be done magically in five minutes, I wouldn't say that's bad. Overall, it's very reasonable and appropriate.

Veracode has policy reporting features for ensuring compliance with industry standards and regulations. We have one such policy configured and it's helpful to highlight high-priority areas. We can address and help focus our effects, which ensures that we're spending our time in the best way possible for security movement. The policy is a good structure to guide results over time.

We use Veracode as one metric that we track internally. It gives us information in terms of knowing that we are resolving issues and not introducing issues. I cannot estimate metrics such as, for example, Veracode has made us 10% more secure. I can certainly say it's very important when we talk to our customers about the steps we follow. We do external pen tests, we do web app pen tests, and we also use Veracode. It's certainly very helpful in those conversations, where we can state that it is one of our security practices, but there's no outcome-based quantitative statistic that I can point to.

What is most valuable?

The static scan is the feature that we use the most, as it gives us insight into our source code. We have it integrated with our continuous integration, continuous delivery system, so we can get insight quickly. We're doing scans daily, so that's the most important feature for us.

The interface is great. It allows us to look at our different applications, understand all of the different types of scans, as well as the results. The types of testing include SAST, DAST, and SCA, and it pulls all of the information together into a single view. It also produces reports that we can give to our customers when requested.

Veracode certainly provides a quick and intuitive way to understand the results, to see the context of them, and to identify what we need to do to address them. In general, it's a pretty quick way to get the information that we need in the most useful way possible. Then, we can turn around an action plan.

We have it integrated with our build pipeline and that works well. It's very important because we don't have to complete a separate, manual step of sending the software up to Veracode to scan it and get the results. It's great. the more things that we can integrate into the build pipeline, the better. It's a very positive thing.

Veracode is very good in terms of not having a lot of false positives. It would be very frustrating if a tool gave you 10 good results but 50 false positives. Even with the issues that we get that we choose not to address, we can still understand why they're being flagged. We have found that the results are meaningful and accurate, which gives us confidence in the solution when fixing vulnerabilities. 

We may choose not to address them for different reasons. For example, it could be because it's an issue about input sanitization, but we have another layer on top of that component to handle that task. We can recognize that it's important that Veracode is flagging those things at that lower level, and that they're bringing that additional insight and consideration to the designs that we're choosing. Overwhelmingly, even the issues we choose not to address are still valuable and meaningful, so the actual false positive rate is quite low.

This is a very useful and powerful tool that ensures our code is well-designed and correctly implemented. It is important that it's only one aspect of a security program and not the only insight or the only test. That said, it provides us with some pretty important feedback and insights that we wouldn't have a great way to get otherwise.

What needs improvement?

The ideal situation in terms of putting the results in front of the developers would be with Veracode integration into the developer environment (IDE). They do have a plugin, which we've used in the past, but we were not as positive about it. The pricing model was expensive and the results were not the same as the full solution analysis. It gives a differently scoped "just in time" analysis within the context of the IDE, so it didn't speak to the same problem space.

The best situation would be the one where the developers don't even need to log into the web portal, and the results from the scans would be delivered into their IDEs. It would be an asynchronous job, but if they could see the results right there, while they're working on the code, then they wouldn't need to go to a separate tool to look at the information to figure out what to do next.

The workflow today on the build side is optimal, so imagine that's still doing the same thing but then in the backend, whenever a developer has that project open in the browser, if they chose to, they could enable a view to see the most recent Veracode results of that module. That scan might be from last night or six hours ago or any other point, and that's fine. It would be the best possible situation to put the results and the actions right in front of the developer, in the tool that they're already using when they're touching the code.

The only other thing that we've found a reasonable workaround with is how to work with microservices in the context of Veracode. This was necessary because Veracode's licensing model and the interaction model are built around an idea of an application. When you're talking about a section of business logic that's being delivered by possibly dozens of microservices, there is some friction with Veracode in terms of how that application gets defined and how the scans occur and get reported on.

When we reached out to Veracode about this, I got a slide deck that provided us with different options of how they recommend proceeding in this context. It was helpful, and clearly a question they've considered and they had answers ready to go on. The ideas helped us and essentially reinforced what we were already thinking. It's getting the job done, but it still feels like a little bit of a square peg in a round hole and it could be a little smoother in terms of that interaction.

The problem boils down to how we fit the microservices architecture into the Veracode notion of an application. We need to be able to get a holistic view across the microservices, which is extremely challenging, especially when those microservices are owned by different teams who have different needs to see and respond to the scans. 

For how long have I used the solution?

I have been using Veracode for between five and six years.

What do I think about the stability of the solution?

The stability is great. They've probably had some downtime, but I don't know about them. From our perspective, it's been solid.

I know the web portal has some planned downtimes because I see the splash screens about them. They're good about warning you, but they're also performed at very weird times, like the middle of the night, so it's never blocked me from getting in when I need to get in.

What do I think about the scalability of the solution?

We use Veracode for all of our software development. We have more than 100 engineers, and our entire engineering team is using it. Obviously, every team has some designated people who look at this more than others, so not everybody's in there every day, but in terms of the software we write, we know that it's all being scanned constantly.

Over the last few years, we've made a couple of acquisitions of other companies and when we've done that, we very quickly brought those solutions in as well. We've seen the value and because of that, it's part of our onboarding process when we integrate other companies into our environment.

If we create another solution or we acquire another company, we will certainly expand our use of Veracode to match within our current solution stack.

How are customer service and support?

The support has been good at understanding issues. There are two aspects of technical support. One concerns issues with the platform in terms of functionality, and the other is that they will provide you with assistance in terms of interpreting your findings.

Our experience from the technical side is that they helped us with figuring out how to best use the platform for microservices applications. They were very helpful in that conversation.

We also have experience with the other layer of technical support that Veracode provides, which is where you can get consultations about the findings. We've done a few of those where you set up an appointment with a Veracode engineer. It helps to understand the results if the platform isn't totally clear on why something is a problem or what we need to do about it. For us, that's been pretty good.

Obviously, the Veracode engineer doesn't have the full understanding of what our application does and in a short call, you can't possibly do an architectural deep dive to understand the context of an issue, but their conversations have been useful when we've had them in terms of understanding issues and context and if we need to do anything.

Which solution did I use previously and why did I switch?

Prior to using Veracode, we used other code quality scanning tools, but not anything at the level of Veracode for security issues.

How was the initial setup?

The initial setup was straightforward. It was pretty easy to get going and we've incrementally gotten better and deeper as we've used it over the years.

The initial setup was manual uploads of applications, and then it was about incorporating it into our build pipelines and using the sandbox to support our microservices architecture. We've gotten more mature over time, but time to initial use and results were very easy.

Only a very short time is required for deployment, as there is very little that has to be done. Ours was completed within a couple of days and that's a matter of coordination in terms of getting our teams to upload a solution and figure it out. It was a learning experience for us but there was no time or delay brought on by the solution.

When we first began with Veracode, the initial strategy was just to get our first solution uploaded and scanned and see what the results looked like. We didn't have a systematic history of doing that, back then.

With approximately 500 employees, we're not a huge company. Deploying it in an enterprise company would be a different situation but for us, it was just a matter of understanding how we needed to configure the platform and how we needed to provide our software and states and get good results.

It probably took a couple of uploads of trial and error and we were running.

What about the implementation team?

We implemented the solution in-house. It is not that complicated.

In terms of maintenance, there is certainly some overhead involved for each team. They have to make sure that the build pipeline integration is still working and essentially, that we're still getting results. Occasionally, for whatever reason, it breaks and somebody has to go in and fix it.

I can't say that there is no staffing required for maintenance but it's rare. In total, a few hours a month across the company is spent keeping it going. More time is spent evaluating and resolving the findings, which is part of our development work. That's not imposed by the solution but rather a positive outcome from using Veracode. As such, I wouldn't count that as maintenance. 

What was our ROI?

We have seen a return on our investment with Veracode. I can't point to a dollar figure, but I've been directly involved in customer conversations where we can talk about our security program and how Veracode is an important element. We've distributed report summaries and talked about results with our customers and having this information in those conversations is definitely valuable.

It's also very useful that we can talk about it with our security auditors. We have SOC 1, SOC 2, and ISO 27001, and they don't specify that you must have a static analysis tool. But when we need to maintain secure engineering practices, having a tool like Veracode is very important for us to demonstrate that to auditors. There's certainly value there as well.

There is also a tremendous value on the marketplace that we get from having those security audits and certificates, which is a second-order of value that Veracode drives.

I can't say with certainty that Veracode reduces the cost of application security, although I would say that it focuses our effort. It gives us guidance and prioritization on where we should spend time. Otherwise, we might not know about particular issues. We might inadvertently spend time on things that aren't that valuable. So, the value is more about focusing on where we need to spend time.

What's my experience with pricing, setup cost, and licensing?

From a cost perspective, it seems okay, although we will probably evaluate alternatives next time it's up for renewal because for us, it's a relatively high cost, and we want to make sure that we are using our resources most appropriately.

I like that the platform provides you with some flexibility. We had to revise our licensing because it did not fit our environment. We wanted to license based on the number of applications, rather than another measure such as the number of lines of code. There was clearly some complexity that led us to be in that situation, although it seems preventable. Ever since our last renewal, the licensing has been smooth and clear. There is a certain amount of flexibility in that regard but also, they allow us some leeway in our current model.

There have been times when for some reason, we spin up a new application on a temporary basis. It may be because we're trying a new configuration. Even though we're licensed for a certain number of applications, the platform lets us exceed that. Consequently, we receive an email stating that we can't do that forever, but it's very useful to have the flexibility for the couple of times that we've used it to briefly exceed the application account.

Which other solutions did I evaluate?

I am not sure what other solutions, if any, the company looked at before choosing Veracode initially. We have renewed it since that time and we pretty quickly decided to stick with Veracode, rather than switching. However, because of the relatively high cost, we will probably evaluate other options next time it's up for renewal.

What other advice do I have?

We see at least quarterly updates about new features or things that have been fixed. It happens without our involvement, which is great.

My advice for anybody who is considering Veracode is to test it. Although I have not compared Veracode against other products as part of an evaluation process, it would be very useful and very easy to actually try it. Top-load your application, get the results and take a look at what Veracode finds. This is the most useful activity somebody could do.

This is a product that lives up to its promise. It's easy to use, and it's predictable. There are some improvement opportunities but on the whole, it's very good at what it does. 

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
KB
Sr. VP Engineering at a tech vendor with 51-200 employees
Real User
Gives us one place to see details of vulnerabilities, including severity and where they're found in the code

Pros and Cons

  • "There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place."
  • "I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results."

What is our primary use case?

There are three areas where we started using Veracode immediately. One is static component analysis. The second is their static application security test, where they take a static version of your code and scan through it, looking for security vulnerabilities. The third piece is the DAST product or dynamic application security test.

We also use their manual pen-testing professional services solution in which they manually hit a live version of your product and try to break it or to break through passwords or try to get to your database layer—all that stuff that hackers typically do.  

How has it helped my organization?

One of the big things for us, and something that I realized because of my experience with engineering teams for more than 20 years, is that when it comes to security, changes are happening so fast. The vulnerabilities are being uncovered so quickly that we cannot go at this alone. No matter how big an army of engineers you have internally, who scan systems, study security engineering best practices, and do a lot of research, there is no way for an individual organization to keep up with everything that's going on out there. Leaning on an expert like Veracode, a company where this is their only job, is absolutely critical for us and game-changing. It really took it up a notch for us in terms of identifying challenges before they occur.

We were using best-coding practices already, but the question was, is that good enough? The first thing we got out of Veracode was a quick validation of our processes. They said, "Oh this is great. What you've been doing is extremely good. Now keep doing what you're doing from a design and development perspective." But, yes, the world is changing so fast that we also want to make sure that we stay ahead of best practices.

When OWASP, which is the main group that puts out lists of the top ten security issues, updated their list recently, Veracode provided it to us, even though it was something that was right off the OWASP website. When you're with Veracode and you're talking about it, your engineers pay extra attention to it. They look through it and they think about what they can do better when they code. We felt we couldn't go at it alone. We needed a partner. Veracode has been a great partner so far for us.

The four products we have from Veracode give us visibility into application status and help to reduce risk exposure for our software. That is one of the things we like about Veracode a lot. There is a single area on the dashboard where you can get a full view of all of the tests and the results from everything. There is a nice, very simple graphic that shows you the types of vulnerabilities that were found, their severity, the scoring, and in what part of the code they were found. All the details are together in one place. Having one area where we get all these results, rather than having to run around and pull reports together from four or five different places, is very helpful to us.

The solution has also definitely reduced the cost of application security for our organization. But the point is almost moot. Thinking about security engineering costs in a silo doesn't make sense anymore. You need security to be integrated completely into your product. Ten years ago, or even five years ago, we would have hired a couple of security engineers who would have been solely and entirely responsible for software security. They would have done their best using some integrated tools and some manual tools. But in no way would they be close to being as efficient and capable as Veracode's tools.

Hiring engineers would be a bad idea because, aside from their being more expensive than Veracode's tools, guaranteed, two security engineers are not going to come close to identifying all of the issues and challenges that Veracode is uncovering for us. Veracode has a large team that is constantly learning, growing, and engaging the industry as a whole, to understand the latest and greatest for security best practices and security vulnerabilities. Two engineers don't have the time to do that much work. To me, it's not even a question of budget. It's more a question of leveraging an industry leader that has core competency in this area. We need a partner like that to work with us.

What is most valuable?

With the static component analysis, they scan your code statically and they look specifically at third-party libraries and at any third-party code that you have in your product for vulnerabilities, updates, and changes in licensing. For example, if one of them changed from a license that allowed for more changes on your side to something that is more restrictive, they would flag that for you so that you can evaluate it and know immediately that you need to take some action. They keep abreast of the latest and greatest regarding third-party components. That has been good and very helpful for us to know how secure our product is as a result of using third-party libraries, as we didn't write that code.

The SAST component looks directly at our own code and any best practices we haven't followed and whether there is a security challenge or loophole. We get immense value from that as well. They've been able to flag items and say, "While this is a low-risk item, we would suggest you refactor it or add it to your roadmap to close that loophole, just in case a very clever hacker tries to get around your system. That has been very helpful to us too.

And the SAST is very quick. It sniffs through the product very quickly and almost immediately gives us the results we need. Static analysis is something you do every once in a while, in a very regimented and rigorous way, so you don't need it to be super-duper fast, but you need it to be efficient. You don't want to wait days for them to give you an analysis. And Veracode's static analysis comes back in a very short period of time.

With the DAST, you provide their product with a dynamic instance of your operational product, by pointing the dynamic testing tool at your product. It beats it up, pokes around, and tries to find ways to penetrate its defenses and find security issues and challenges within your product.

Veracode also has a very good report that gives us best practices regarding ensuring compliance, and we can go back to them for additional consulting. We've not had to do that. We typically scan through it and say, "Okay, it's good that it meets those best practices." We rely on them to make sure that their products are kept updated, so that we don't have to review a lot of these standards issues.

Also, as we did our analysis of Veracode, we loved the fact that they are completely integrated into GitHub. You can trigger everything using GitHub Actions. You don't want to go too far out of the application, move something into another repo, and have to write or copy and paste it over. Veracode easily integrated into our GitHub repos.

What needs improvement?

One thing I would strongly encourage Veracode to do, early on in the process—in the first 30 days—is to provide a strong professional services-type of engagement where they come to the table with the front solution engineers, and work with their customer's team and their codebase to show how the product can be integrated into GitHub or their own repository. They should guide them on best practices for getting the most out of Veracode, and demonstrate it with live scanning on the customer's code. It should be done in a regimented way with, say, a 30-minute call on a Tuesday, and a 30-minute call on a Friday.

I would ask Veracode to be a lot more engaged with the customer and set up live sessions where they force the customer to engage with Veracode's technical team. Veracode could show them a repo, how they should do things, this is what these results mean, here is a dashboard, here's the interpretation, here's where you find the results. And they should say, "If you don't understand something, here's how you contact customer support." A little bit more hand-holding would go a long way toward the adoption of Veracode's technology.

For how long have I used the solution?

I'm familiar with Veracode from a couple of companies. One is my previous company. We had examined the platform and trialed it for use. When I joined my current company, about six months back, I looked at various platforms that we could use for both static and dynamic testing of our code and I naturally picked Veracode. I had familiarity with them and experience with them. We did some research on them and we did a couple of reviews with my engineers, and then I decided to sign up with Veracode.

What do I think about the stability of the solution?

It's a very stable solution, absolutely. We've had no issues with it. We have not had to poke around and report bugs or anything of that sort.

What do I think about the scalability of the solution?

We have not had any scale limitations thus far, not even close. Maybe it's the size of our repositories and what we do, but for our needs, it has been super-scalable.

It's being used by all my teams now. I'd like it to be used even more often by building a tighter integration into our regular SDLC practices. I'm hoping that that happens over time. That is one of my focal points as I start to plan for next year.

How are customer service and support?

We bought their premier service package and that allows us to have access to their consultants, their customer support, and their customer success manager so that we get a higher level of service from them. We took the premier package from day one because we needed the consulting hours, help, and training from them.

Every month or so we have a call with their customer success group. Sometimes we come prepared and say, "Hey, we want to talk about these specific five things," and other times we just ask them to give us their latest and greatest and to update us on what has happened since the last time we spoke: What did you add to the product? What did you find? What should we be watching out for? They alert us to new vulnerabilities and things that we should be looking for.

We also do a hands-down, tactical Q and A, where we ask questions like, "Hey, we tried to do this and it failed," or about challenges we had and how they suggest we go about resolving them. I pretty much have my entire team on these calls and that helps us stay on top of things. As VP of engineering, I'm a big believer in shift-left practices. I would like to make sure that my team takes full responsibility for quality assurance and security.

Which solution did I use previously and why did I switch?

We did not have a previous solution for application security testing in this company.

How was the initial setup?

The initial setup was straightforward. That was something I really liked about it in my previous job, and it bore fruit right away in what we are doing in my current company. That's one of the reasons I chose them. It's very easy to set up. You can get going quickly and you don't have to learn a whole lot. We were able to integrate it into our system fairly quickly, and start, almost immediately, to generate the results we needed to improve our product.

They do an immediate kickoff right after you sign the contract so you can ask questions like, "How do we set this up? What do we do?" We went through that and, once they trained us on those things, we did not really have a reason to go back to customer support. The product is pretty intuitive. They sent us a couple of videos and provided some early consulting for setup. They have a good process, including a 30-day check-point. Very recently, there was one small thing we needed in terms of knowledge and education and they came back to us with a quick response.

We were ready to run tests within two weeks of setup, and we accomplished running it within a month of buying the product.

It does require much maintenance at all. I love the fact it's a SaaS product. Every time we use it, we're getting the latest version. It's updated automatically. We get decent updates about product management and the roadmap.

What about the implementation team?

In terms of implementation services, we didn't go to any third party. Veracode was pretty good. They were very responsive and answered questions. We were able to get the help we needed.

If Veracode thinks that it's best to bring in an integrator for the first 30 days, they should build that into the cost of the contract. I don't think I would have blinked if they had told me, "We suggest paying a little bit extra for the first year because we want you to purchase a professional services contract from this company. They will work with you for a month and guarantee to get you up and running with best practices within 30 days."

What's my experience with pricing, setup cost, and licensing?

I was impressed with the pricing we got from Veracode. I was able to make it work very well within our budget.

Which other solutions did I evaluate?

When I came to my current company, I looked at a few options for security testing, and then zeroed in Veracode as the best option for us and for what we needed to do. We didn't go through too many competitors. Because I had experience with it, I said we should use it. I felt that it was the right product for us.

One of the advantages of Veracode is that it is a one-stop shop for everything you need. I did not want to hunt around for five different solutions and have to put them together and have to use five different dashboards. I really wanted a single solution for all our needs, and that's what I got from Veracode: static, dynamic, and the manual pen testing.

What other advice do I have?

My advice would depend on the size of your company and whether you have dedicated security engineers. For us, given the size of our company, Veracode has been very important. We needed a turnkey solution, and one that integrated directly into our product. We wanted something immediate. We couldn't take the time to hire a bunch of security engineers and have them figure it out and then do an RFP. That was not us.

If you're in that position, where you need something that really meets all of your software security needs during the development life cycle, check out Veracode for sure. Look at a couple of their competitors. It's fine to kick the tires a bit and then what you can get from others, but I would definitely recommend that one-stop-shop type of thinking. You really want to get your solutions from one vendor, a partner that is strong in this area.

For the manual pen testing, there's a full day where they engage your product. It takes us about half a day of planning and putting it together, and then providing them with a live website. They then bring their team together and go through all the reports about what they saw and, typically, within a period of three days from the time of the manual pen test, we get results from them. Along with that, they also offer any kind of service you need to interpret or understand the results. You can also get some follow-on from them in terms of best practices and how to fix things.

In terms of false positives, I like my security scans to be a little more conservative, rather than being aggressive about eliminating things without me seeing them. I'm okay with the fact that, every once in a while, they flag something and bring it to our attention, and we see that it is really a non-issue. The reason that is my approach is that, when you do a static scan or a pure dynamic scan, these products don't completely understand your application environment. They cannot guess that this or that code is not used in this fashion. They can only flag something to bring it to your attention, and then you make the judgment call.

Veracode has flagged a few issues for us that we decided were non-issues. In their dashboard, you can actually provide a dispensation for each of those items. So we have gone in there and checked a box and put a comment saying, "Not applicable to our workflow." I was very happy that they caught those things. It gives us some confidence that they're looking deep into our product. We haven't had any major issues with false positives. What they flagged to us was reasonable, and we were able to decide that they were not really an issue for us.

Our confidence level is very high, thanks to Veracode's solution and our internal focus on shift-left methodology. I push my engineers to make security a part of the design, development, and testing processes. It can't be something that is done as an afterthought. We need shift-left thinking all the way to the left. You want to tackle an issue before it occurs.

Overall, Veracode has affected all our application security in a very strong, positive way, and I look forward to using their products and technology to continuously improve our security best practices.

I would give it a 10 out 10. It really is a strong solution for the industry. I'm looking forward to engaging Veracode in an even stronger way in 2022. I want to tightly align what we're doing, from a security best-practices perspective, even more with what they have to offer.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: October 2021.
552,027 professionals have used our research since 2012.
ITCS user
Software Architect at Alfresco Software
Real User
Top 20
Prevents vulnerable code from going into production, but the user interface is dated and needs considerable work

Pros and Cons

  • "The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful."
  • "Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
  • "Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."

What is our primary use case?

The use case is that we have quite a few projects on GitHub. As we are a consulting company, some of these projects are open source and others are enterprise and private. We do security investigating for these projects. We scan the repository for both the static analysis—to find things that might be dangerous—and we use the Software Composition Analysis as well. We get notifications when we are using some open source library that has a known vulnerability and we have to upgrade it. We can plan accordingly.

We are using the software as a service.

How has it helped my organization?

It has improved the way our organization functions mostly because we can perfect the security issues on our products. That means our product managers can plan accordingly regarding when to fix something based on the severity, and plan fixes for specific releases. So, it has improved our internal process. It has also improved the image of the company from the outside, because they can see in the release notes of our products that we take security seriously, and that we are timely in the way that we address issues.

The solution has helped with developer security training because when we open a ticket with information coming from Veracode, it explains, for example, that some code path or patterns that we have used might be dangerous. That knowledge wasn't there before. That has really helped developers to improve in terms of awareness of security.

What is most valuable?

The feature that we use the most is the static analysis, by uploading the artifacts. We have two types of applications. They are either Java Server applications using Spring Boot or JavaScript frontend applications. We scan both using the static analysis. Before, we used to do the software composition on one side and the static analysis. For about a year now, we have had a proper security architect who's in charge of organizing the way that we scan for security. He suggested that we only use the static analysis because the software composition has been integrated. So in the reports, we can also see the version of the libraries that have vulnerabilities and that need to be upgraded.

It is good in terms of the efficiency of creating secure software.

My team only does cloud-native applications. Ultimately, the part that we are interested in, in testing, works fine.

There are some false positives, like any products that we have tried in this area, but slightly less. I would trust Veracode more than the others. For example, we had quite a few issues with Snyk which was much worse in terms of false positives, when we tested it for open source.

Also, the solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful.

What needs improvement?

What could improve a lot is the user interface because it's quite dated. And in general, as we are heavy users of GitHub, the integration with the user interface of GitHub could be improved as well. 

There is also room for improvement in the reporting in conjunction with releases. Every time we release software to the outside world, we also need to provide an inventory of the libraries that we are using, with the current state of vulnerabilities, so that it is clear. And if we can't upgrade a library, we need to document a workaround and that we are not really touched by the vulnerability. For all of this reporting, the product could offer a little bit more in that direction. Otherwise, we just use information and we drop these reports manually.

Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access.

Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA. It provides visibility into the SAST, DAST and SCA, but honestly, all the information then travels outside of the system and it goes to JIRA.

In the end, we are an enterprise software company and we have some products that are not as modern as others. So we are used to user interfaces that are not great. But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated.

Also, we're not using the pipeline scan. We upload using the Java API agent and do a standard scan. We don't use the pipeline scan because it only has output on the user interface and it gets lost. When we do it as part of our CI process, all the results are only available in the log of the CI. In our case we are using Travis, and it requires someone to go there and check things in the build logs. That's an area where the product could improve, because if this information was surfaced, say, in the checks of the code we test on GitHub—as happens with other static analysis tools that we use on our code that check for syntax errors and mapping—in that case, it would be much more usable. As it is, it is not enough.

The management of the false positives is better than in other tools, but still could improve in terms of usability, especially when working with multiple branches. Some of the issues that we had already marked as "To be ignored" because they were either false positives or just not applicable in our context come down, again, to the problem of the user interface. It should have been better thought out to make it easier for someone who is reviewing the list of the findings to mark the false positives easily. For example, there were some vulnerabilities mentioning parts of libraries that we weren't actually using, even if we were including them for different reasons, and in that case we just ignore those items.

We have reported all of these things to product management because we have direct contact with Veracode, and hopefully they are going to be fixed. Obviously, these are things that will improve the usability of the product and are really needed. I'm totally happy to help them and support them in going in the right direction, meaning the right direction from my perspective.

For how long have I used the solution?

I have used Veracode for quite a long time now, about two years. I have been working here for three years. In my first year, the company was using a different product for security and then it standardized on Veracode because every department had its own before that. There was consolidation with Veracode.

What do I think about the stability of the solution?

The stability is good. What I have seen in the stats is that there is downtime of the service a little too often, but it's not something, as a service, where you really need that level of availability on. So I'm not really bothered by that.

What do I think about the scalability of the solution?

We don't have to do anything to scale, because it's SaaS. 

We started with a smaller number of users and then we extended to full single sign-on.

How are customer service and technical support?

The staff of Veracode is very good. They're very supportive. When the product doesn't report something that we need and is not delivering straight away, they always help us in trying to find a solution, including writing custom code to call the APIs.

From that point of view, Veracode is great. The product, much less so, but I believe that they have good people. They are promising and they listen so I hope they can improve.

Which solution did I use previously and why did I switch?

We started with WhiteSource, but it didn't have some features like the static analysis, so it was an incomplete solution. And we were already using Veracode for the static analysis, so when Veracode bought SourceClear, we decided to switch.

How was the initial setup?

The initial setup is easy and quite well documented. I was really impressed by the quality of the technical support. When I had problems, that the product wasn't good enough for me, they were always there to help and give suggestions.

Being a service, there wasn't really much of an implementation. It's not complex to use.

What was our ROI?

My job is mostly technical. I don't own a budget and I don't track numbers. But as the customers are really keen on having us checking security issues, I would definitely say that we have seen a return on investment.

Most of our customers tend, especially in the software composition analysis, to apply their own in-house tools to the artifacts that we share with them. Whenever we release a new version of software and Docker images, they upload it to their systems. Some of them have the internal equivalent of Veracode and they come back to us to say, "Hey, you haven't taken care of this vulnerability." So it is very important for us to be proactive on each set of release notes. We need to show the current status of the product: that we have fixed these vulnerabilities and that we still have some well-known vulnerabilities, but that there are workarounds that we document. In addition they can check the reports that we attach, the reports from Veracode, that show that the severity is not high, meaning they don't create a big risk.

It delivers because we haven't been thinking, "Okay, let's consider another product." We might see some savings so I think the pricing is right.

Which other solutions did I evaluate?

For open source projects we mostly tested Snyk, which works quite well with JavaScript but much less so with other technologies. But it has some bigger problems because Snyk considers each file inside a repository of GitHub as a separate project, so it was creating a lot of false positives. That made it basically unmanageable, so we gave up on using it.

We have also been using an open source project called the OWASP Dependency-Check that was doing a decent job of software composition analysis but it required a lot of effort in checking false positives. To be honest, it would have been a good solution only if we didn't have a budget for Veracode, but luckily we had the budget, so there was no point in using it.

Another one that we tried, mostly because it was a small company and we had the opportunity to speak directly with them to ask for some small changes, was a company called the Meterian. It doesn't do static analysis, but otherwise the software composition analysis and the library report were the best of the bunch. From my perspective, if we didn't have the need for static analysis, I would have chosen Meterian, mostly because the user interface is much more usable than Veracode's. Also, the findings were much better. We still use it on the open source project because they offer a free version for open source—which is another good thing about some of these products, where the findings are available to anyone. For a company like ours, where we have both open source and enterprise products, this is quite good. Unfortunately, with Veracode, if we scan the open source project, we cannot link the pages of Veracode with the findings because they are private. That's a problem. In the end, for the open source projects, we are still using Meterian because the quality is good.

My main issues with Veracode, in general, are mostly to do with the user interface of the web application and, sometimes, that some pages are inconsistent with each other. But the functionality underneath is there, which is the reason we stay with Veracode.

What other advice do I have?

Usually, we open tickets now using the JIRA/GitHub integration and then we plan them. We decide when we want to fix them and we assign them to developers, mostly because there are some projects that are a little bit more on the legacy side. Changing the version of the library is not easy as in the newer projects, in terms of testing. So we do some planning. But in general, we open tickets and we plan them.

We also have it integrated in the pipelines, but that's really just to report. It's a little bit annoying that the pipeline might break because of security issues. It's good to know, but the fact that that interrupts development is not great. When we tried to put it as a part of the local build, it was too much. It was really getting in the way. The developers worried that they had to fix the security issues before releasing. Instead, we just started creating the issues and started doing proper planning. It is good to have visibility, but executing it all the time is just wrong, from our experience. You have to do it at the right time, and not all the time.

The solution integrates with developer tools, if you consider JIRA and GitHub as developer tools. We tried to use the IntelliJ plugin but it wasn't working straightaway and we gave up.

We haven't been using the container scanning of Veracode, mostly because we are using a different product at the moment to store our Docker images, something that already has some security scanning. So we haven't standardized. We still have to potentially explore the features of Veracode in that area. At the moment we are using Key from IBM Red Hat, and it is also software as a service. When you upload a Docker image there, after some time you also get a security scan, and that's where our customers are getting our images from. It's a private registry.

Overall, I would rate Veracode as a five out of 10, because the functionality is there, but to me, the usability of the user interface is very important and it's still not there.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Karen Meohas
Information Assurance Manager at xMatters
Real User
Top 20
Centralized view shows the status of all scans, and if I want more information about something, it's one click away

Pros and Cons

  • "In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application."
  • "Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers."
  • "The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most."

What is our primary use case?

We have three use cases. We have the dynamic scans that we use to scan the production, public-facing URLs. We also use the static scan where we work with the Dev team and scan the code base for the web application and the mobile application on both iOS and Android. Our third use case is manual penetration tests, which my team manages. We do annual manual penetration tests.

It's deployed to our platform infrastructure, which is in a public cloud.

How has it helped my organization?

We have some major clients using Veracode. It saves us time when it comes to doing annual pen tests. When we say we're using Veracode and they are also using Veracode, we don't have to run the test twice. They accept what we have because they know the framework is going to be the same.

A pen test can take a month; it really depends on the number of flaws that are found. So when we don't have to run a pen test twice it saves a lot of time. It not only saves time for my team, but for other teams as well, because when we run a third-party pen test for clients, I not only need to have my team coordinating it, but it requires documentation and it requires my technical support to be involved. So it saves a lot of time for a number of teams.

The report content is very good because the reports are structured in a way that they explain the scope of the scan and what the policy is. A report shows, right at the beginning, if we have passed the scan for the policy or not. That's very helpful when sharing that report externally. It's something that we didn't have before and having that now is extremely useful because it avoids a lot of back and forth with clients. If we share a report and there is no further explanation necessary on how the scan works and what we're doing to fix the flaws, it saves additional manual work that would otherwise be needed to update that information. With Veracode, we can do it automatically, just by pulling a report from the dashboard. In addition, whatever they have on the reports meets industry expectations.

Veracode provides visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing, in a centralized view. I manage the team, I'm not involved in the daily operations. But as a manager, it's extremely helpful, because I just log in to my Veracode instance and, on the homepage, it shows the status of all the scans. If I want more information about something, it's one click. From a managerial perspective, it's extremely helpful. The centralized view helps reduce risk exposure. If there is something wrong with a scan, if a scan doesn't run or a scan is not complete, I know about it from the main dashboard.

In addition, the solution integrates with developer tools. That creates more efficiency in the workflows because they don't need to duplicate work.

Overall, its ability to prevent vulnerable code from going into production is very good. We recently onboarded a new application into the static scan and we had almost 1,000 flaws in the first scan. We were able to mitigate all of them in less than three months. The result was amazing, enabling us to find everything that could potentially create a problem for us.

What is most valuable?

All of its features are valuable to us. We are ISO certified and we also do annual SOC 2 audits. We deal with personal, identifiable information and we host confidential information from our clients. Our use of Veracode is based on our clients' requirements and on ISO requirements. It is something that we have in place to comply with what is required. In that context, the manual penetration test is a requirement from all our clients and we do it once a year.

In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application. The dynamic scanning is mostly used to make sure that whatever is deployed to production is secure.

Veracode provides guidance for fixing vulnerabilities. This doesn't enable developers to write secure code from the start, but Veracode provides guidance through security consultants. We can book consultations in case developers cannot fix a specific flaw, and they guide us through the process based on the CWE.

The efficiency of the solution when it comes to creating secure software is good. For us, it works well. Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers.

Its policy reporting for ensuring compliance with industry standards and regulations is very helpful. We can create our own policy, based on our internal risk management guidelines, and run the scans against our own customized policy. That way we can set expectations to fix flaws based on our internal timeline, and we can issue reports based on that. We usually share those reports with clients. That's very useful.

They are also always updating the types of threats and that's very useful.

In addition, they provide analytics on how we're doing in terms of fixing flaws and mitigating issues.

All of the services that Veracode provides are necessary for the type and the level of security and confidentiality that we need.

What needs improvement?

Whenever there is a mitigation that is submitted through the platform, I'm the one who approves it. The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most.

For how long have I used the solution?

I have been using Veracode for a year.

What do I think about the stability of the solution?

The stability is good. We have never had problems.

What do I think about the scalability of the solution?

We will be using more of our products in Veracode starting in January. We added one more application into the dynamic scan and we added a couple more manual penetration tests to our projects. Once you understand how it works, it's very easy to deploy to different applications.

In terms of increasing our usage of the solution, we probably won't for the next couple of years, but we never know. It really depends on the requirements that we have from clients and the requirements of the standards and the regulations. Now, we are covering most of the applications and use cases that we need. We are doing 100 percent of the code base. We are doing dynamic scans on all the URLs in production, and the manual pen tasks are also covering all the applications.

We are doubling the ACV with Veracode for 2021, and that's a lot. After that, we're going to be good for the next couple of years, unless there is something new and the Dev team needs to use some other feature that I'm not aware of at this point.

For the dynamic scans I have a couple of people from the technical support team and one person from operations. For static scans, I have my entire iOS and Android team because, depending on the type of flaw, the ticket is given to different developers. I have about 20 to 25 Veracode users.

How are customer service and technical support?

Their technical support is usually very quick. They usually get back to us in less than 24 hours. We had a problem recently and it was the first time that we had a problem with Veracode support. We didn't get an outcome for three weeks and it created a major problem, but they usually get back to us in 24 hours.

Their Knowledge Base, their help site, is very useful. Most of the time we can find the information that we are looking for there. Sometimes we consult with their support team, but we can usually find information in their help site.

Which solution did I use previously and why did I switch?

We were using WhiteHat. We switched because the dashboard was very bad and there were no analytics. The UI was also very bad, so it was not easy to manage it. Also, most of our big clients were using Veracode and asking us to migrate to Veracode. It was a combination of things.

How was the initial setup?

The setup was straightforward. It takes some time in the beginning to onboard, but our onboarding process was easy from the moment that we actually connected the Dev team with Veracode. It's normal to have a certain degree of difficulty in the beginning but we didn't have any major problems.

Our deployment took between a month and 45 days.

We migrated from another vendor, so we first picked the services that we needed and the type. We started with the same scans that we had with the other vendor, and then we divided the work between the different teams. We had to have the iOS team onboard and the Android team onboard. I presented the new tool to them and created the accounts and, after that, we had parallel projects to onboard the different scans. It was definitely easier because I had different teams taking care of each one of the scans, meaning I could do everything in parallel.

For the dynamic scans we had one person involved from the technical support team. It was super-straightforward and super-easy to do. It took us a couple of hours to do it. The static scan takes a little bit more time because you have to prepare the packages. But we already had the packages ready because we migrated from another vendor. It took us some time to adjust the scans, but the actual work of uploading the packages took less than a week.

What was our ROI?

There is no direct ROI. There is a cost of security, overall. It saves a lot of time and it allows us to have the certifications and comply with the clients' requirements, but it's very hard to have a direct ROI. It's a cost for compliance and security that is worth it.

What's my experience with pricing, setup cost, and licensing?

Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive.

There is also a fee for the support package, which I think is extremely expensive. We used to have the premium support and we didn't use most of it, so we're downgrading to the basic support, and even the basic support is expensive.

Which other solutions did I evaluate?

We evaluated BitSight. The main advantage of Veracode was the UI, the dashboard. It's very easy to use and to manage.

What other advice do I have?

I can give advice to other managers. If they are willing to properly manage, but they don't have the time or the bandwidth to actually operate, it's a very good tool. It's easy to get access to information and it's easy to understand what's going on with your application without much of a burden. You don't have to waste a lot of time trying to understand a complicated report. Everything is accessible. And the amount of information that Veracode gives based on the flaws is very straightforward and makes it easy for the Dev team to fix them.

I would rate it at eight out of 10. The tool itself is a very good tool. The way they work to update the flaws and the findings is very effective. But the support is a little bit expensive and it could be a little bit better. And there are few things that could be updated in the UI, but overall it's a very good tool.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Google
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
SS
Head Of Information Security at a media company with 51-200 employees
Real User
Top 20
I used a lot of the findings to put pressure on our vendors to try to improve their security postures

Pros and Cons

  • "The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA."
  • "The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs."

What is our primary use case?

We use Veracode for static analysis of source code as well as some dynamic analysis.

How has it helped my organization?

It's valuable to any business that has software developers or that is producing software that consumers use. You have to do some type of application security testing before allowing consumers to use software. Otherwise, it's risky. You could be publishing software with certain security defects, which would open up your company to the likelihood of a class action lawsuit.

I don't have any examples of how it improved the way our company functions. However, I did use a lot of the findings to put pressure on our vendors to try to improve their security postures.

Veracode has helped with developer security training and helped build developer security skills. Developers who get the tickets can go into it and take a look at the remediation advice. They have a lot of published documentation about different types of security issues, documentation that developers can freely get into and read.

The integration with JIRA helps developers see the issues and respond to them.

What is most valuable?

The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA.

Static Analysis Pipeline Scan was able to find security defects in the software we were sending its way. For both Android and iOS that worked very well. It did have a lot of false positives though, but at least we knew it was working. The speed of the pipeline scan was completely reasonable. I don't have any complaints about the time it took.

What needs improvement?

The efficiency of Veracode is fine when it comes to creating secure software, but it tends to raise a lot of false positives. It will tell you about a lot of issues that might be hard for an attacker to actually manipulate. Because of that it's very difficult, sometimes, to sort through all of the findings and figure out what you actually ought to pay attention to. Maybe calling them false positives isn't entirely accurate. There were a lot of things that it would raise that were accurate, but we just didn't consider them terribly important to address because it would be very hard for an attacker to actually use them to do anything bad. I think it frustrated the engineers at times. 

Also, the policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs.

We couldn't make it stop. We tried tuning the policies. We had several meetings with the Veracode team to get their feedback on how we could tune the policies to quiet some of these things down and nothing ever resulted in that. Ultimately we couldn't stop some of these alerts from coming out.

Even stranger, for some of the issues raised, such as the ones that were in the vendor code base, we would put the status in Veracode that we communicated this to the vendor, but then, the next time the scan was run, it would find the same issue. One time it would respect that update and the next time, afterwards, it wouldn't respect it and it would generate the issue again. It was really weird. It was reopening the issues, even though they should have been in a "closed" state.

Another significant area for improvement is that their scanning had a lot of problems over this last year. One of the biggest problems was at first it wasn't able to read packaged Go. When I say packaged Go, I mean packaged the way the Go programming language says you're supposed to package Go to deploy the software, when you're using multiple build modules together to make an app. That's a totally normal thing to do, but Veracode was not able to dig into the packages and the sub-modules and scan all the code. It could only scan top-level code.

Once they fixed that problem, which took them until August, we found that it kept reporting that there were no problems at all in our Go code base. That was even scarier because it would usually give all these false positives on our other repositories. I had the application security engineer write a bunch of known defects into some Go code and push it in there and scan it, and it didn't raise anything with any of that. They're advertising that they have a Go scanner, but it doesn't actually function. If our company was going to continue in business, I would have asked them for a refund on the license for the Go scanner at our next renewal, but since we're going out of business, I'm not renewing.

I would also love to see them make it easier to debug the JIRA integration. Right now, all of the logs that are generated from the JIRA integration are only visible to the Veracode engineering team. If you need to debug this integration, you have to have a live meeting with them while they watch the debug messages. It's utterly ridiculous. Their employees are really nice, and I appreciate that they would go through this trouble with me, but I think it's terrible that we have to bother them to do that.

For how long have I used the solution?

I have been using Veracode for about a year.

What do I think about the stability of the solution?

It's highly stable.

What do I think about the scalability of the solution?

It scaled fine. We didn't have any problems with it not being available or going down during our scans. We have used it 100 percent, meaning we've taken advantage of every license we bought.

How are customer service and technical support?

Their support was really good. I would give them a B+ and maybe an A-. The only thing that's really taking support down is the product itself. You and the support team are fighting against the product. The people at Veracode were great though.

Which solution did I use previously and why did I switch?

We didn't have a previous solution. 

How was the initial setup?

The initial setup was pretty complex. We had to integrate it with our CI/CD pipeline. This required writing custom code. Once it was integrated there, we had to have the development team make some changes to how they pushed a release to a special branch so it would go to Veracode on a weekly basis. And once it started raising the issues, we had to work on that JIRA-Veracode integration, which was not straightforward at all and required a lot of debugging help from the Veracode engineering team. They provided that and that was great, but ideally it would show you the error messages so that you don't need their help.

The initial deployment took about two or three weeks and then we had to come back and tune it several times, so there were another two to three weeks of tuning. Altogether, it was about six weeks of effort on our part.

Initially, we had one person working on the deployment, and then I started working on it as well. Later, there were four of us working with Veracode during these calls to try to do the policy tuning and figure out if we could make it work better for everyone.

We had six people using the solution: four software engineers and two security engineers.

What was our ROI?

I'm not sure if we have seen ROI. We didn't have any high-severity security defects being raised by Veracode, and that's just a function of the development team members we had. It helped in protecting ourselves from potential class action lawsuits.

What's my experience with pricing, setup cost, and licensing?

The pricing is really fair compared to a lot of other tools on the market.

It's not like a typical SaaS offering. Let's say you got SaaS software from G Suite. You're going to get Google Docs and Google Drive and Google Sheets, etc. It's going to be the same for everybody. But in Veracode, it's not. You buy a license for specific kinds of scanners. I had two licenses for static analysis scanners and one license for a dynamic analysis scanner. 

Which other solutions did I evaluate?

I chose Veracode over others because it supported the programming languages we're using. It had the best language support. A lot of the other solutions might have supported one of the languages we're using, but not all of them.

What other advice do I have?

My advice would be to definitely have some code that has a lot of security defects embedded into it and to run it through the scanner to test it early on in the process, ideally during the evaluation process. If your company works in five programming languages, you would want to create some code in each of those languages, code that has a lot of security defects, and then run the scanner over it to just make sure it can catch the security vulnerabilities you need it to catch and that it's consistent with how it raises those vulnerabilities.

Veracode provides guidance for fixing vulnerabilities but that doesn't enable developers to write secure code from the start. The way the product works is it scans code that has already been written and then raises issues about the security problems found in the code. That is the point at which the developer sees the issue and can look at the remediation advice Veracode gives, and the possible training. But it doesn't allow them to write secure code in the first place, unless they really remember everything. It does educate them about it, but it's usually after the fact.

The solution provides policy reporting for ensuring compliance with industry standards and regulation. While those features were not applicable to us, they were in there. I think they would be very useful for anyone working in a high-compliance industry.

It also provides visibility into application status across all testing types, including SAST, DAST, SCA, and manual penetration testing, in a centralized view. If you buy the SAST and DAST license, of course you'll see those scan results inside that view, but to see the pen testing that means you'd have to buy pen testing from them as well. Seeing those testing types in one view didn't really affect our AppSec. It's nice for the security team, but it's just not that important because they weren't in there everyday looking at it. Since we had the JIRA integration, the defects would flow into JIRA. The software engineers would take a look at it and categorize whether it was something they could fix or something that was in a vendor's library. The software engineers would prioritize the things that they could fix, and if it was in a vendor's library, I would batch those up and communicate them to the vendor.

Overall, I would grade Veracode as a "B" when it comes to its ability to prevent vulnerable code from going into production. It will find everything that's wrong, but it doesn't have enough tuning parameters to make it easier for organizations without compliance burdens to use it more effectively.

Overall, it's pretty solid. I would give it an eight out of 10.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Srinivasa Rao Kuruba
Manager, Information Technology at Broadcom Corporation
Real User
Our teams get a list of all vulnerabilities and incorporate fixes, ensuring that these issues do not happen in future code

Pros and Cons

  • "It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage."
  • "When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications."

What is our primary use case?

Veracode has both static application security testing as well as dynamic application security testing, also called Dynamic Analysis. Our primary use case was on the static analysis side, not on the dynamic, because we have an automated tool in the dynamic analysis scope. So our primary use was static analysis security testing.

How has it helped my organization?

Application security improved a lot because the teams got a list of all vulnerabilities, they analyzed them, and then they incorporated the fixes. It helped ensure that these kinds of issues would not happen when they wrote code in the future, because when the fix was applied, it was applied to all the vulnerabilities. That means our AppSec improved greatly once we started using Veracode.

It has SAST, DAST, as well as SCA—software composition analysis, which is used for finding vulnerabilities in third-party components. All these are in one tenant. Veracode provides a uniform view that enabled us to see the vulnerabilities of an application holistically. Our primary use case was the SAST. The DAST and SCA were not for our products. It definitely helped reduce risk exposure because, no matter how secure the code you write is, ultimately, you end up using third-party libraries. So finding vulnerabilities in the third-party libraries is also essential and this unified view gave us a holistic security profile of the application, rather than just our code or just the third-party code or only static or only dynamic. All these pieces are combined to give a unified view. It helped give a holistic picture of the security status of the application.

What is most valuable?

The most valuable feature, from a central tools team perspective, which is the team I am part of, being a DevSecOps person, is that it is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage. 

Also, because it's SaaS and hosted, we didn't have any infrastructure headache. We didn't have to think about capacity, the load, the scan times, the distribution of teams across various instances. All of this, the elasticity of it, is a major advantage.

There are two aspects to it. One is the infrastructure. The other one is the configuration. There are a lot of SaaS solutions where the infrastructure is taken care of, but the configuration of the application to start scanning takes some time to gain knowledge about it through research and study. That is not the case with Veracode. You don't have any extensive security profiles to consider. It's a two-pronged advantage.

Veracode also reports far fewer false positives with the static scanning. The scanner just goes through the code and analyzes all the security vulnerabilities. A lot of scanning tools in the market give you a lot of false positives. The false positive rate in Veracode is notably less. That was very helpful to the product teams as they could spend most of their time fixing real issues.

Veracode provides guidance for fixing vulnerabilities and that is one of their USPs—unique selling propositions. They provide security consultations, and scheduling a consultation is very easy. Once a scan is completed, anybody who has a Veracode login can just click a button and have a security consultation with Veracode. That is very unique to Veracode. I have not seen this offered in other products. Even if it is offered, it is not as seamless and it takes some time to get security advice. But with Veracode, it's very seamless and easy to make happen.

Along those lines, this guidance enables developers to write secure code from the start. One of the advantages with Veracode is its ability to integrate the scanning with the DevOps pipeline as well as into the IDEs of the developers, like Eclipse or IntelliJ or Visual Studio. This type of guidance helps developers left-shift their secure-coding practices, which really helps in writing far better secured product.

Another unique selling point of Veracode is their eLearning platform, which is available with the cloud-hosted solution. It's integrated into the same URL. Developers log into the Veracode tenant, go through the eLearning Portal, and all the courses are there. The eLearning platform is really good and has helped developers improve their application security knowledge and incorporate it in their coding practices.

One of the things that Veracode follows very clearly is the assignment of a vulnerability to the CWE standard or the OWASP standard. Every vulnerability reported is tied to an open standard. It's not something proprietary to Veracode. But it makes it easy for the engineers and developers to find more information on the particular bug. The adherence to standards helps developers learn more about issues and how to fix them.

We use the Static Analysis Pipeline Scan as part of the CI pipeline in Jenkins or TeamCity or any of the code orchestrators that use scanning as part of the pipeline. There's nothing special about the pipeline scan. It's like our regular Veracode Static Analysis Scan. It's just that if it is part of the pipeline, you are scanning more frequently and finding flaws at an earlier point in time. The time to identify vulnerabilities is quicker.

Veracode with the integrated development environments that the developers use to write code, including Microsoft Visual Studio, Eclipse, IntelliJ IDEA, etc. It also integrates with project and portfolio management tools like JIRA and Rally. That way, once vulnerabilities are reported you can actually track them by exporting them to your project management tools, your Agile tools, or your Kanban boards. The more integrations a scanning tool has, the better it is because everything has to fit into the DevOps or DevSecOps pipeline. The more integrations it has with the continuous integration tools, the IDEs, and the product management tools, the better it is. It affects the adoption. If it is a standalone system the adoption won't be great. The integration helps with adoption because you don't need to scan manually. You set it up in the pipeline once and it just keeps scanning.

What needs improvement?

When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications.

For C++ based languages, or languages where there is a platform dependency—for example, if I write C language code it is dependent on whether I'm executing that on Windows, or on Linux, or another platform—and with some of these platforms-specific languages, Veracode makes something called debug symbols that are introduced into the code. That gets cumbersome. They could improve that or possibly automate. If Veracode could quickly analyze the code and make file-line flags, that would be great. It is easy to do for Java, Python, and Pearl, but not so easy for C++. So when it comes to the debug symbols, guidance or automation could be improved.

Also, scan completion, as well scanning progress, is not reported accurately. Sometimes the scan says it will complete in two to three hours but it will take four or five hours. That is one of the areas where they can give a more accurate estimate.

For how long have I used the solution?

I used to work for CA Technologies, which was acquired by Broadcom. Back in 2017, CA Technologies acquired Veracode, and that is when I started administering Veracode. Since it was a CA product, all product teams in various business units within CA were asked to adopt Veracode for their static analysis. My team is the central tools team and had the responsibility of enabling and deploying Veracode for all the product teams. So we used Veracode starting in 2017. I used it both in a DevSecOps lead role and as a Veracode admin and security admin.

What do I think about the stability of the solution?

It's quite stable because everything is in the cloud. I really don't need to worry about the stability at all or the frequency of the scans. It's all taken care of by the Veracode platform.

What do I think about the scalability of the solution?

It is scalable. We had about 500 applications, out of which 200 were being scanned regularly. It was in the AWS infrastructure and it was quite scalable. The elasticity was all taken care of. We were scanning a huge set of enterprise products.

We had roughly 2,000 Veracode users. Generally they were developers but there were QA people, as well as the program managers because they needed to add the vulnerabilities and see the health of the product. We also had security champions to advise the product teams on their scanning and vulnerabilities. In addition, general security also accessed it to provide consultation on how to fix vulnerabilities. We were able to give privileges and access control based on each individual.

We stopped our use of Veracode on November 1st, 2020, about 30 days ago. But when we were using it for the three-and-a-half years, the usage was very extensive.

How are customer service and technical support?

The customer support was two-pronged. One was the security consultation and that was top-notch. The security support helped teams understandable the vulnerabilities 

The regular customer support for issues was quite prompt and had good SLA turnarounds.

What was our ROI?

Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license. It's a good return on investment because it improves the application security for all the different types of scans.

It reduced the cost of AppSec for our organization because otherwise we would have had to go through multiple vendors for application security. With Veracode, one solution fit all our needs. It reduced the AppSec cost by reducing the numbers of vendors. Typically, you would have different products for different types of scanning. For static analysis you might use one tool, and for dynamic another, and for third-party software composition analysis you might use another. And after using all those tools, you might still have to consult with another vendor. Veracode combines all this into a single solution.

I would estimate that it saved us $500,000 a year.

Which other solutions did I evaluate?

We have been using the Synopsys tool from Coverity for our static analysis.

Veracode is superior in terms of infrastructure because it is cloud-hosted. We don't have that with Coverity on-premise. We need to take care of capacity planning, infrastructure procurement. Also, with Coverity we have to invest some time to enable various checkers. The security profile configuration takes time compared to Veracode.

Coverity, on the other hand, is more robust and it works with the C programming languages.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
SM
Principal for the Application Security Program and Access Control at a engineering company with 10,001+ employees
Real User
Top 20
The time savings has been tremendous, but the UI is too slow and its user experience has much to be desired

Pros and Cons

  • "The time savings has been tremendous. We saw ROI in the first six months."
  • "There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed."

What is our primary use case?

We use it for dynamic scanning and Static Code Analysis as well as for Software Composition Analysis (SCA).

We do use this solution's support for cloud-native applications.

How has it helped my organization?

We are a startup with 350 employees. The AppSec program initially was focused and aligned with regulatory audit, and compliance. However, over the past two years, we have "shifted left" : integrating AppSec early in our SDLC process. Having this tool has fast-tracked our response times in terms of scanning the code for third-party library vulnerabilities. 

What is most valuable?

The SCA, which detects vulnerabilities in third-party and open source libraries, was something new for us and is very well done. It provides guidance for fixing vulnerabilities. 

What needs improvement?

When we go from the dynamic scan to static scan to SCA, there is a huge change in the UI. This was not relayed to us when we were buying the product nor during the demo. They mentioned, "Yeah, this was an acquisition. The third-party library scanner was an acquisition from SourceClear."

You can see there is a huge difference in the user experience in terms of both the display as well as the usability of the product. That is one of our pet peeves: They are not normalizing the UI across the three product segments. We had numerous calls with them early on because we were new to the platform. The sales team is not aligned with the support team. The support team keeps telling us to use a different UI versus the one that the sales team showcased during the sales cycle.

There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed. It is ironic that they claim themselves as agile AppSec tool, but their UI doesn't reflect that.

We had a couple of consulting calls, and perhaps it may be the engineers that we got, they were not really up to speed with our frameworks. They were very focused on .NET and Java, which are legacy frameworks for us. We don't use these at all in our code base. We are using the newer, modern web frameworks, like Django. They have very little coverage or knowledge base on these, especially on the mobile side.

There are a lot of faults with the Static Analysis Pipeline Scan tool. Their tool seems to be very good with legacy products, which are developed in .NET and Java frameworks, but there are false positives when it comes to using modern web frameworks, like Python and Django. The C++ code doesn't even scan. We have spent at least three weeks worth of time going back and forth because it won't support the use cases that we have.

For how long have I used the solution?

We have been using Veracode for over a year now.

What do I think about the stability of the solution?

It hasn't gone down. Nobody has complained about the Pipeline Scan being broken. The couple of times that they have, it was more to do with our ineptitude than with the platform capabilities. Once we understood how the platform is working and the gotchas associated with it, we were able to have a workaround within its constraints.

For our use case, it is sufficient. It has been up and running for quite some time and we haven't had any downtime experience with it. We get proactive notifications from Veracode about any upcoming maintenance, batch schedules, and other things. They have been pretty good with that. 

What do I think about the scalability of the solution?

There haven't been any issues with multiple users logging in and slowing it down. It has just been inherently slow. 

How are customer service and technical support?

We clearly mentioned during our purchase cycle that we have C++ code, a Swift code from a US perspective, Python libraries, etc. We were given assurances that these were absolutely covered under the solution. However, when we started investigating through support tickets, they admitted that these were not supported. We have very limited support for C++ code scans and other things. That was a bummer from my perspective.

The support has been good. However, we work in an agile environment and our release cycles are literally every two weeks. Their response times have been very delayed, especially as we are in the Pacific Time Zone and they are in the Eastern Time Zone. 

They have a great support portal to do self-service. We have been pretty impressed with that, but we soon realized that anything you pick is 10 days to two weeks out. That has been a non-starter for us. We had to constantly escalate through our account team to get an engineer on the call, because we were in the middle of a release and needed to scan the product at the moment.

At this point, we are doing sandbox scanning. We have implemented it with our Jenkins CI/CD tool to really scan the code, upload, etc. It took awhile for us to figure it out because the support wasn't really helpful. We had to hack our way into getting through the documentation. Since the time they acquired SourceClear, they haven't really cleaned up or integrated the documentation well, and that may be one of the reasons. However, we were able to find the right combination of keys to make it work.

Which solution did I use previously and why did I switch?

We were previously using WhiteHat Security. Their lack of customer service prompted us to switch. Every question that we asked was just going into a black hole. The only time that we got any response was when our account was up for renewal. We had a long discussion with them to get a rationale behind their lack of response, and that was the only time they listened. There was no follow-up. That is when we decided that this is not a partnership that we wanted to continue anymore.

Veracode has automated a lot of the manual stuff that we were doing in terms of scanning third-party libraries. With any given release, I was spending from eight to 10 hours manually scanning through all 3rd-party libraries for vulnerabilities. Now, it is all within the Pipeline. So, I am saving about 10 hours in a given month with it.

How was the initial setup?

The initial setup was moderately complex. The onboarding of the tenant, single sign-on, and access control were easy, but when it came to the real work of integrating the Pipeline Scan and our ticketing system, that is broken at this point. I spend most of my time manually doing this, and if they could fix that portion, that would save me another two hours worth of my time with every release.

The deployment took two to three weeks.

Because this was a SaaS service, we just onboarded one team, then looked through some of the gotchas from login and access perspective. Once the pilot users were all cleared up for any potential issues, we then onboarded the rest of the team. We have a small team of 40 users from a development perspective.

It's pretty straightforward from an onboarding perspective because it is all SaaS. We just needed to whitelist some IPs from Veracode for scanning some of our code, which are not publicly available. Beyond that, everything was pretty straightforward.

What about the implementation team?

The solution was implemented by an internal consultant and me.

What was our ROI?

The time savings has been tremendous. We saw ROI in the first six months.

What's my experience with pricing, setup cost, and licensing?

It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent.

We bought the product for its expected benefits, in terms of all the bells and whistles that we saw during the sales cycle. When it came time to really implement it, that is where we have been having buyer's remorse.

Which other solutions did I evaluate?

We evaluated Micro Focus, Black Duck, SonarSource, and Coverity. We felt Micro Focus was the closest to really addressing all three of our needs, which is SAST, DAST, and the third-party software composition analysis. Micro Focus had the most complete execution from an implementation perspective, but it was very expensive for us. We went with Veracode because it was within our price point. 

We are getting huge value out of the dynamic scan and third-party library scanning. However, the initial euphoria has died down at this point, so we will be looking at additional tools to augment some of the solution's shortcomings.

What other advice do I have?

It is good for third-party scanning and if your code base is all modern web frameworks. It is also great for the third-party analysis. However, the Software Composition Analysis is not good if you have C++ code or anything legacy, as it does not cover that. It also does not cover iOS code. It has a lot of constraints.

The solution’s policy reporting for ensuring compliance with industry standards and regulations is fine. We are using it for internal reporting, but we haven't really dug into the policy definitions and tweaking them. We are using its default policies.

As part of our validation and testing, we are able to catch vulnerable code early on. That has been helpful. Automating some of the process has been really helpful, at least from our team's effort perspective. The tool highlights the risk associated with vulnerabilities. That effort is very much automated with this tool.

I would rate this solution as a six out of 10. If you have legacy applications, the solution is great. Their SaaS scanning is geared towards that. If you have modern frameworks, the SaaS scanning and dynamic scanning don't provide much value. My advice to anybody looking at Veracode: Use them for third-party scanning. They are really good at that because of their SourceClear acquisition. For the rest of their products though, just keep looking.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Deepak Naik
Product Owner - DevOps at Digite
Real User
Top 20
The centralized view of different testing types helps reduce our risk exposure

Pros and Cons

  • "The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end."
  • "If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us."

What is our primary use case?

We use Veracode primarily for three purposes:

  1. Static Analysis, which is integrated into our CI/CD pipeline, using APIs. 
  2. Every release gets certified for a static code analysis and dynamic code analysis. There is a UAT server, where it gets deployed with the latest release, then we perform the dynamic code scanning on that particular URL.
  3. Software Composition Analysis: We use this periodically to understand the software composition from an open source licensing and open source component vulnerability perspective.

How has it helped my organization?

For the issues that are being reported by Veracode, normally we collect those issues, and at least once a quarter, we have an awareness session with the developer. We then explain that what is the vulnerable pattern that has been caught and how to avoid it in the future, so they will not introduce it in the first place.

The main benefit of Veracode is it can give you a report in various formats, e.g., PCI compliant. That is very helpful for us. It gives our customers confidence because they trust Veracode. When we submit a report generated by Veracode, they accept it. We have seen in the past that this has helped us during the pre-sales cycle, and from that aspect, it is pretty powerful.

The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end. 

What is most valuable?

The static code analysis, which is integrated into the CI/CD environment, is a valuable feature. We get quick results of what has gone into the environment in terms of any vulnerability in the code and for the Eclipse plugins of Veracode. This is one of the more valuable features because a developer can get a sense at the line level if there are any issues. 

What needs improvement?

It is pretty efficient when creating secure software. For one or two particular applications, the dynamic code analysis can take too much time. Sometimes, it takes three days or more. That is where we find speed getting dragged. Apart from that, it is pretty efficient for us to get results and make our software secure.

If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us.

They could probably provide some plugins for the Visual Studio code.

For how long have I used the solution?

Five years.

What do I think about the stability of the solution?

It is pretty stable with no issues.

What do I think about the scalability of the solution?

If they need to scale back-end infrastructure to make the scan faster, then they should do it. Apart from that, there are no issues to mention.

One person can just start a scan. In our case, the DevOps team does it. They configure it once, then do it. However, the cycle takes time, depending on the codebase size, to look at an issue, identify if there are true positives, and then work on it. It is one person's almost full-time job.

I have a team of around six security professionals team who work on Veracode and use the tool. Two of them are team leads, two of them are senior developers, one is a DevOps engineer, and another one is a junior developer.

How are customer service and technical support?

We normally create a ticket for Veracode support, then they respond back within 24 hours. Our experience with them is generally very positive.

Normally, the report that we get is self-explanatory, but sometimes there are false positives or some issues that we don't understand. For those, we schedule a consultation call, where they then come on a call and provide guidance on how to fix them. That is pretty cool.

Which solution did I use previously and why did I switch?

Before Veracode, we had a manual process where we hired white hat hackers. They used to do all the scanning, then submit a report. That process was pretty lengthy. It sometimes could go on for three to six months. Nowadays, for static code scanning, we are doing it on regular basis. Since there are not many issues reported, we can fix them on the fly. For dynamic code analysis, it still takes a week's time because the scanning itself takes three days sometimes. Then, once the scanning is done, we check if there is an issue, fix it, and then start the scan. That is a week-long process, but the rest is pretty under control.

How was the initial setup?

At the time that we set it up, it was quite complex. Now, they have made it pretty simple to use and a brief process. However, we felt the process was quite complicated when we did it. For example, when we initiated the static scan for the JavaScript, we needed a lot of instrumentation. That specific instrumentation that needs to be done at the JavaScript layer. Now, they can accept the bundle as it is and still identify the issue at the line number level. So, that is an enhancement.

They have done some improvements on the triage screen where you can look at all the issues. You can perform various actions over there, like mitigations or adding comments. They have simplified that interface a bit and made it a little faster. Earlier, we used to take quite a time for the check-in and check-out operations. However, now, it is quite fast. If we had to redeploy it from scratch, it would take around 30 minutes.

To start a static code scanning, do an upload, and start a scan, it hardly takes 10 minutes.

What about the implementation team?

We do the setup and implementation ourselves.

What was our ROI?

Veracode has definitely helped us close deals with the software being compliant to our customers' various standards. 

Before we had Veracode, customers might have demanded some scanned compliance reports, which we didn't have. Because of that, we might have lost some customers during the pre-sales cycle. That cost is huge compared to what we are paying for Veracode.

It has saved our developers' time from six months to two weeks.

What's my experience with pricing, setup cost, and licensing?

If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount.

Which other solutions did I evaluate?

We also used Contrast Security for real-time scanning on an experimental basis. If that is successful, we will probably roll that out. Contrast Security is very focused on run time scanning. Veracode also has some kind of module for this that we have not explored. However, the Contrast Security tool was suggested to us by one of our customers. We have not compared Veracode and Contrast Security yet.

The other tool which we use is Burp Suite for performing some manual verification. This is apart from what Veracode is not able to. Our customers are also reporting some vulnerabilities because they have their own scans. To verify those types of issues, we use Burp Suite. Burp Suite is pretty handy when you want to quickly do some penetration testing and verify some vulnerabilities. It is definitely a unique tool, and I don't think there is this kind of module with Veracode.

What other advice do I have?

I'm pretty confident about Veracode's ability to prevent vulnerable code from going into production when I'm using it.

When you use Veracode, instead of using it as a manual tool, you should integrate it into your CI/CD pipeline. This way, every build is certified. Then, if there is an issue, you will know about it earlier in the development cycle, not later. Because as the time passes, it becomes more difficult to fix that issue.

With Veracode's support for cloud-native applications, there are some components of our application (which are cloud-native), that we treat in the same way as regular software, e.g., the source code and dynamic URLs. We don't have a model where we can do the real-time scanning. This is something which is currently in talks for maintaining the security of the distributed application. Hopefully, that should get implemented in about two months' time.

The reports that they share have been pretty informative, but someone has to go through them and read them quickly. In the early days, they might have offered some kind of training plan, but we did not opt for that.

Veracode has a plugin which we use, and it works with developer tools.

While there are false positive, there aren't much (around 10 percent). We normally farm these to the Veracode team, who act accordingly. Our developers still report 90% valid issues, and this is satisfactory for us.

Biggest lesson learnt: Security should not be an afterthought. 

I would rate this solution as an eight out of 10. I took off points due to the extra time that it takes to do the dynamic scan.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.